Doing a PoC on RPM signing and am currently stuck. I created a GPG key on my laptop using git bash. Then exported the public key, private key and the trustdb. In my GitLab project, I added all 3 files. My yml is given below:
rpm_sign:
stage: sign
image: centos:latest
only:
- master
script:
- yum install -y rpm-sign
- gpg --import public.pgp
- gpg --import private.pgp
- gpg --import-ownertrust < trust.txt
- gpg --list-keys --keyid-format LONG
- gpg --list-secret-keys --keyid-format LONG
- rpm --define "_gpg_name eavibis" --define "_signature gpg" --addsign ics-service-rpm-1.0.3-1.noarch.rpm
- rpm --checksig ics-service-rpm-1.0.3-1.noarch.rpm
- tar -zcvf signed_rpm.tar.gz *.rpm
tags:
- docker-devuser
artifacts:
paths:
- $CI_PROJECT_DIR/*.tar.gz
expire_in: 1 hour
If I run the addsign command twice, on the second run, I get the message:
warning: ics-service-rpm-1.0.3-1.noarch.rpm already contains identical signature, skipping
This clearly indicates that the sign has been added. However, at the checksig command output, I am getting the following error:
ics-service-rpm-1.0.3-1.noarch.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#3d525b88)
What am I doing wrong?